An Improved Conflict Detection System with Periodic Cycle Treatment for Time-based Firewall Policies

摘要

Packet filtering provides initial layer of security based upon set of ordered filters called firewall policies. It is a difficult task for the administrator to manage and maintain firewall policies, as it is an error-prone and complicated task for a dynamic network environment. Conflict is a misconfiguration that happens when two or more filters overlap each other, resulting in shadowing and redundancy of the filters. On the other hand, time-based filters are introduced in CISCO firewalls and LINUX iptables to control network traffic on basis of time. It is very handy when a service is required to be available only at certain times of day or even certain days. Conflict occurs in time-based filters when two or more filters falls on same timing. It is required to detect conflicts in time-based filters. We have two main contributions in this paper. First, we propose a mapping mechanism to treat periodic cycles like every day or every specific day of the week, that removes the unnecessary computation. Second, we decompose time into intervals and compute the conflicting filters in each interval. We implemented the mechanism using time divisor comprises of seven primitive time-handling operations. We have also developed a prototype system to prove the effectiveness of the approach. We experimentally analyzed our system with different samples of time-based filters by varying the percentage of periodic cycles and thereby we clarified the effectiveness of the proposed mechanism.